Access to secure systems or networks, such as electronic mail systems or banking web sites, is often conditioned upon the entry of a character-based password or code, such as a Personal Identification Number (“PIN”), by an authorized user. Such passwords need not contain “words,” and may include combinations of uppercase or lowercase letters, numbers and/or other American Standard Code for Information Interchange (“ASCII”) characters, while PINs may generally include one or more numbers. Character-based passwords and PINs are typically used in combination with a corresponding user name or identifier assigned to someone who is authorized to access a secure system or network, and may either authenticate entry to the secured system or network by authorized users, or prevent access to such the system or network by unauthorized users. Unless a user name and corresponding password or PIN are entered, access is denied.
Passwords or PINs that consist solely of alphanumeric and/or ASCII characters have many intrinsic limitations, however. First, character-based passwords or PINs are more secure when they are longer, i.e., when they include a greater number of characters. Because a password must be committed to memory, many people choose character-based passwords that are easy to remember, such as a birthday or a relative's name. However, a password that is easy for a user to memorize may also be easy for a person with surreptitious motives, such as a “hacker” or “fraudster,” to guess, predict or acquire covertly. Alternatively, the user may elect to record a lengthy password on a piece of paper. However, if such a piece of paper is obtained by a hacker or fraudster, he or she may enter the secure system or network by posing as the user, and take actions within the system or network on the user's behalf.
Second, because the entry of a character-based password is required to access a variety of systems or networks, many people use the same or similar user names and/or passwords for several different systems or networks. For example, a person may utilize the same password, or similar passwords, to access his or her electronic mail account, bank account, credit card account or network server at work. If any one of these systems or networks is compromised, a hacker or fraudster may access the user's other accounts that are protected by the same password, or predict the user's passwords on other accounts having similar passwords, and thereby expose the user to a cascading risk of widespread fraud across multiple accounts.
Third, in an age when portable computing devices are increasingly able to perform a variety of functions, and are being built with smaller keyboards or other character-entry devices, the task of entering a lengthy character-based password may be difficult for users who wish to access secure systems or networks from such devices.
Fourth, and perhaps most importantly, the combinations available for use in character-based passwords or PINs are always mathematically limited in number. For example, a PIN formed from four digits has only 104 (or 10,000) combinations of numbers available to users. Where a password may be formed from the twenty-six letters of the modern English alphabet, an eight-character password has 268 (or 208,827,064,576) combinations of letters that are available to users. While this may be a very large number, a hacker or fraudster armed with computer-based processors may attempt to overcome a secure system or network by brute force, such as by running through each of the potential combinations of passwords or PINs very quickly, particularly if the hacker or fraudster is aware of personal information regarding the user that may suggest one or more combinations of letters or numbers that may more likely, or less likely, be included within a user's password or PIN.